The majority of vessel cyber risks are linked back to human error.
This follows a wider trend. According to Gartner, “[…] human failure will be responsible for over 50% of all significant cyber incidents by 2025.”
“So it is clearly the crew’s fault.” Is this actually true?
“Training will definitely make a difference.” Will it?
Let’s unpack this further.
Implementing vessel cyber security is tricky. Traditional controls don’t easily work.
Vessel IT and network infrastructure is not the same as enterprise. To make things harder, fleet operations have unique challenges. Technical cybersecurity controls that are pretty well-established in enterprise and office IT are simply not available in shipping.
- User-based identities and credentials? Tricky. Crew and visitors are continuously changing.
- Tightly restrict internet access? Tricky. Crew often need to visit new websites to complete arrival information at ports.
- Active vulnerability management? Tricky. Most critical systems are managed by third parties and patching may require dry-docking.
- Removable media restrictions? Tricky. A large proportion of shipping processes still operate on removables, from chart updates to piloting to compliance reporting.
- Least functionality for crew? Tricky. Crew need the authority to update a system to complete a task. Otherwise, be prepared to suffer the threat of delays. Operations trump security.
So implementing even basic cybersecurity controls on vessels can be tricky. We looked into the top cyber defensive measures operators have implemented to protect their shipping systems. We also identified the top gaps. The findings are covered in a report we developed with HFW and Thetius – “Shifting tides, rising ransoms and critical decisions”
If you have successfully implemented any of the controls above and would like to share your experience (even anonymously) with our shipping community, please get in touch via email@example.com.
If technical controls are hard, what are shipping operators doing instead?
Other forms of control are easier to implement than technical or logic-based controls. So they have been adopted more widely on shipping systems.
- Physical controls physically prevent unauthorised access. A widely used example is physical USB locks. Sadly, this control is often poorly designed with no alternative way of easily transferring files to/from vessel computers. So the crew are simply given free access to the keys.
- Procedural controls require crew to follow a specific, often manual, process in order to maintain cybersecurity. A typical example is when crew provide remote access to a remote engineer or OEM. They may have a specific checklist to ensure that they are giving access to an authorised person and failure to follow the process could result in unauthorised access. The need for crew to authorise remote access is a key part of the new E26 regulations but we have seen this control fail in penetration tests.
- Policy controls require crew to conform with a requirement, often that they should not do something which could endanger the vessel. An acceptable use policy will often prohibit the installation of unauthorised software but this is frequently ignored.
While many of these are valid if designed properly, they place additional pressure on the crew. It forces them to remember cyber security policies, remember to comply and behave more securely. It is a major addition to their existing roles and responsibilities. It is no wonder the resistance to change is significant.
For such controls to work, we need to make it easier for the crew to behave more securely. Gartner identified in 2023 that a top security trend going forward is to prioritise the employee experience across the security controls. This is so critical, that the US government has also identified human-centric approaches as a top priority in the Federal Cybersecurity Research and Development Strategic Plan 2023.
How can you change crew behaviour?
83% of shipping companies regularly conduct cyber security training and drills.
So most operators should have implemented some training. We detailed the findings in our report in 2022 titled “The Great Disconnect”.
If your organisation is part of the 17% that haven’t implemented training and regularly exercise response plans, you are already behind. Get on with it. Let us know if you need help here.
Equally, if you have run exercises and you have not found any gaps, then are those exercises actually meaningful? Let us know if you need some challenge here.
Unfortunately, training isn’t materially improving security. Insecure behaviour onboard ships continues to be a challenge. Even if we continue to invest in top cybersecurity technologies, if we don’t change behaviour, we won’t improve security.
Imagine if you had a way to:
- Automatically identify the top cyber-related human error onboard.
- Automatically nudge the crew to behave more securely.
- Make it easy for the crew to support the IT team in cyber incident response.
Would this be more effective than training?
Would it encourage the crew to take more responsibility for cyber security?
Would it reduce the workload of the IT team?
CyberOwl has developed an onboard crew engagement dashboard, as an extension to Medulla. We are now piloting this with early adopters. In return for participating as an early adopter, you will gain visibility of the top 3 cyber-related human errors of your crew and free advice on the top practical controls you can implement to mitigate them. Become an early adopter and understand the top 3 human errors of your crew by registering your interest here.
Perhaps changing crew behaviour is not your main focus area. See other actions you can take to improve your vessel cyber risk management:
- Gain access to the benchmarking data – read “Don’t spend another dollar on cybersecurity until you benchmark”
- Make your security operations fit for vessel operations – register interest for “I have managed EDR. Isn’t that enough for my vessels?”
- Learn what it will take to get your vessel UR E26 compliant – register interest for “I’m not planning newbuilds. Why should I care about UR E26?”
Click here to register your interest for upcoming topics to help you improve the cyber resilience of your shipboard systems.